Mis-matching code signing certificates is this allowed again?

Was under the impression that all executable components needed to be signed with the same certificate as the bundle. However I've just encountered a recently Notarized application where that isn't the case.

These components are in the "/Contents/Resources/" folder of the main bundle. While I can suggest the developer to sign these with the same identity and move them to a more suitable location.

It would appear that codesign, GateKeeper and Notarization has accepted these.

Or are these restrictions for the Mac App Store only?

Up vote post of rowlands Down vote post of rowlands
356 views
Posted by
rowlands
Reply
Add a Comment

Accepted Reply

Or are these restrictions for the Mac App Store only?

Yes. The notary service requires that each code item be signed with a valid Developer ID but it does not require:

  • That the Developer ID be the same for all code items

  • That the Developer ID match the team doing the notarisation

The App Store is stricter about this. I’m a little fuzzy on the rules there but I believe the only variance it allows is for specific libraries signed by Apple (like the Swift runtime).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved

  • Quinn, Thank you for your prompt and informative response. I really appreciate being able to fire questions here and have you answer them so quickly and precisely.

    Have a great week.

    Sam Rowlands

    rowlands
Add a Comment

Replies

Or are these restrictions for the Mac App Store only?

Yes. The notary service requires that each code item be signed with a valid Developer ID but it does not require:

  • That the Developer ID be the same for all code items

  • That the Developer ID match the team doing the notarisation

The App Store is stricter about this. I’m a little fuzzy on the rules there but I believe the only variance it allows is for specific libraries signed by Apple (like the Swift runtime).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved

  • Quinn, Thank you for your prompt and informative response. I really appreciate being able to fire questions here and have you answer them so quickly and precisely.

    Have a great week.

    Sam Rowlands

    rowlands
Add a Comment